MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e5c3ca2dba4a97b5ce64954a2b4a01b29a140dacfc0401dcc75471545c1f49a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dridex


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e5c3ca2dba4a97b5ce64954a2b4a01b29a140dacfc0401dcc75471545c1f49a
SHA3-384 hash: a0e1db107c5f5ae9e3ec60a4a51631c01015acc5d01ad841c8b34faa9e045cdcecea427ff21c9a3b84bdc9fd27c43a11
SHA1 hash: 65cc1ec0d4434bbe52d2c8e73943c3f845504f12
MD5 hash: 963a97b6efe44b61e3241b3747028987
humanhash: fruit-artist-equal-alabama
File name:taxve_50694104_20210816_63660_25466460.xlsm
Download: download sample
Signature Dridex
Create hunting rule
File size:244'012 bytes
First seen:2021-08-16 23:03:11 UTC
Last seen:2021-08-17 10:07:29 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 6144:StNSLcq+YXEstmCKKIfVeSrPwqWaswkoWMM:CPYXEszKTwaEoWMM
TLSH T1C634022684B7E160EECBA0394CAF0FE617E24F5B15C0AB1BE5D1A51EFD0ADD361504CA
Reporter GovCERT_CH
Tags:Dridex xlsm

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
taxve_50694104_20210816_63660_25466460.xlsm
Verdict:
Malicious activity
Analysis date:
2021-08-16 23:05:50 UTC
Tags:
macros40
Link:
https://app.any.run/tasks/ffc33999-cd6f-40e2-bde8-44567b3dab8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179774/
Detection(s):
TwinWave.EvilDoc.DOCXSTRGOOD..SCT.210816.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSOffice.DdeExec-3.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.XLMSumBodyToLove.M2.032421.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DridexNoParticularPlaceToGo.20210813.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Excel4Macro
Link:
https://app.docguard.net/3e5c3ca2dba4a97b5ce64954a2b4a01b29a140dacfc0401dcc75471545c1f49a/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3e5c3ca2dba4a97b5ce64954a2b4a01b29a140dacfc0401dcc75471545c1f49a
Details
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/833952
Signature
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Microsoft Office creates scripting files
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e5c3ca2dba4a97b5ce64954a2b4a01b29a140dacfc0401dcc75471545c1f49a/
Threat name:
Script.Trojan.IcedID
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 13:57:14 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzodziw3usuxwxhgjfkkfnfadmu2cqg2z7aeahomovdrkrob6sna._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro xlm
Link:
https://tria.ge/reports/210816-vmgc3h2nsj/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3e5c3ca2dba4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e5c3ca2dba4a97b5ce64954a2b4a01b29a140dacfc0401dcc75471545c1f49a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:Microsoft_XLSX_with_Macrosheet
Create hunting rule
Rule name:Microsoft_XLSX_with_Macrosheet
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Dridex

Excel file xlsm 3e5c3ca2dba4a97b5ce64954a2b4a01b29a140dacfc0401dcc75471545c1f49a

(this sample)

  
Dropped by
Dridex
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/179774/

Comments